Cerber Ransomware Removal

Cerber ransomware belongs to the category of win-lockers. The purpose of the clandestine program is to make proceeds at the expense of innocent computer users. The virus locks the files on the targeted machine and asks for a ransom to decrypt them. It targets text documents, custom programs, internet files, databases, archives, multimedia and other file types. The encryption process and the demands of the win-locker are standard.

The origin of Cerber ransomware is unknown. There are speculations that the nefarious program was developed by Russian hackers. The reason for this assumption is that the win-locker does not harm computers, located in the following 12 countries: Russia, Belarus, Ukraine, Moldova, Kazakhstan, Azerbaijan, Uzbekistan, Kyrgyzstan, Tajikistan, Turkmenistan, Georgia and Armenia. All of these countries were once part of the USSR. Only the Baltic states are not exempt from the virus’ attack.

Cerber ransomware travels with spam e-mails, hidden behind an attachment. It gets installed into the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder. The virus assumes a fake name to make itself appear as an executable process, like autochk.exe.

Security experts have isolated source e-mails for Cerber ransomware. They have identified host files for the furtive program. The win-locker latches onto .doc and .wsf files. The host is often packed inside a zip archive. A zip attachment, retrieved by security experts, was titled 4x94_396_y. A host file by the name of b1_263-Copy-Copy-Copy.doc was also retrieved.

To protect yourself from spam e-mails, you have to look up the sender’s data. He could misrepresent a reliable company or entity. Spammers often write on behalf of national posts, courier firms, banks and government branches. They make the message look genuine by copying the contacts of the entity and registering a fake account which resembles its official e-mail address. If the message looks important, you can contact the organization to confirm its legitimacy.

The malignant program uses AES-256 encryption technology to lock files. It appends the .cerber suffix to each encrypted file. Cerber ransomware rearranges the names of the files, as well. It generates a random combination of 10 letters, both capital and lower case. At the end of the process, your files will become unrecognizable.

Cerber ransomware creates three files to tell the victim about his predicament and state its demands. We will refer to them as ransom notes. The malevolent program places them in every folder which contains encrypted data. They are titled #DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html and #DECRYPT MY FILES#.vbs. The Cerber ransomware name may derive from the concept of the ransom notes. Each of them has a unique purpose.

cerber ransom note
Cerber ransom note

The .txt file introduces the virus. It begins with a two-dimensional sign of the word “cerber”. The name of the virus is written in capitals with a large font. The note explains why your files have been infected and what the owners of the rogue program want. The contents of the .txt and .html notes are similar.

Once you have been introduced to Cerber ransomware, you can have a thorough look at the payment process. The .html document is more straightforward in stating the hackers’ demands. You will find out that you have to pay in bitcoins and use the Tor browser to conduct the transaction. There is a reason for these requirements. Both the bitcoin cryptocurrency and the Tor browser assure the anonymity of the involved parties. The cyber criminals do not have to worry about being tracked down.

The owners of Cerber ransomware demand 1.24 BTC. This sum converts to $798.23 USD, according to the current exchange rate. The hackers have decided to play mind games in an attempt to pressure their victims. They give people 7 days to complete the transaction. A countdown clock measures the time you have left. If you were to miss the deadline, you would end up owing twice as more. After the first week, the ransom increases to 2.48 BTC or $1596.45 USD. A lot of win-lockers use scare tactics.

Speaking of scare tactics, this is exactly what the last of the ransom notes is created for. The .vbs file contains a VBScript which plays an audio message to the victim. The message is a synthetic female voice. It says “Attention!” thrice and then repeats a short phrase five times. The message says: “Your documents, photos, databases and other important files have been encrypted!”.

The two text notes end with a Latin quote: “Quod me non necat me fortiorem facit”. This translates to: “That which does not kill me, makes me stronger”. It appears that the creators of Cerber ransomware like ancient languages and mythology just as much as they like scaring people. You should not allow these mind games to get to you.

The developers of Cerber ransomware have added an option to prove the legitimacy of the decrypter. They offer to decrypt 1 file for free. It has to be 512 kilobytes or less in size. The decrypter supports 12 languages: English, German, Spanish, French, Chinese, Japanese, Portuguese, Polish, Italian, Turkish, Arabic and Dutch. Paying the ransom is the easy route, but this solution comes at a high price. Besides, your files rightfully belong to you. We do not advise you to pay the ransom.

Be advised that you should take immediate action to remove Cerber ransomware from your computer. Your deliberation to pay the ransom would result in the cyber criminals taking further action. Security experts have discovered that the insidious program is bundled with bots. They allow the hackers to use your machine for performing distributed denial of service (DDoS) attacks. Your computer will be involved in a scheme for harming other people’s operating systems.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.